Loadbalance or other option?

paulley · Tue Mar 07, 2017 12:04 pm

Hi,

Considering follwing;

1x (very slow) WAN with Fix IP (slowWAN)
1x WAN 4G (fastWAN)

1x Microsoft Small Business Server with DHCP and DNS option.

the Fix IP is needed for the server, so all incomming traffic from the slowWAN needs to go to the Server in side the LAN.
all clients want to have the Network access to the Server, but also want to have fast internet.

What will be the best pratice for this specific situation?

Sob · Wed Mar 08, 2017 1:16 am

Working solution would be to start with normal load balancing configuration (as described e.g. here). But instead of two PCC rules use static ones:

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
    action=mark-connection new-connection-mark=ISP1_conn src-address=192.168.0.250 
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
    action=mark-connection new-connection-mark=ISP2_conn

paulley · Wed Mar 08, 2017 5:07 pm

Working solution would be to start with normal load balancing configuration (as described e.g. here). But instead of two PCC rules use static ones:
Code: Select all
/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
    action=mark-connection new-connection-mark=ISP1_conn src-address=192.168.0.250 
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
    action=mark-connection new-connection-mark=ISP2_conn

As per example of this page i implemented the Mangle etc.

It seems to work, that is, i can acces my server from the outside.
But.... whe doing a speedtest, speedtest.net shows my IP of the 4G connection, but with the speed of the slow Cable connection.
And.. in https://www.whatismyip.com/ it shows my cable IP...

very strange.

here is my configuration:

/interface export
# mar/08/2017 14:50:00 by RouterOS 6.18
# software id = M0M9-4BB5
#
/interface bridge
add admin-mac=4C:5E:0C:30:54:F8 auto-mac=no comment=LAN l2mtu=1598 name=\
    bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=Low Speed  name=ISP1
set [ find default-name=ether3 ] comment=High Speed name=ISP2
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
    ether10-slave-local
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local

/ip export 
# mar/08/2017 14:50:55 by RouterOS 6.18
# software id = M0M9-4BB5
#
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=bridge-local network=192.168.1.0
add address=10.0.0.218/30 interface=ISP1 network=10.0.0.216
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ISP1
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ISP2
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=ISP1
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall mangle
add chain=prerouting dst-address=192.168.0.0/24 in-interface=bridge-local
add chain=prerouting dst-address=10.0.0.216/30 in-interface=bridge-local
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP2 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=ISP1_conn per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=bridge-local new-routing-mark=to_ISP2
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=bridge-local new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ISP2 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" out-interface=ISP1 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="SMTP SBS" dst-port=25 in-interface=ISP1 protocol=tcp to-addresses=192.168.1.250
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=ISP1 protocol=tcp to-addresses=192.168.1.250

/ip firewall service-port
set ftp disabled=yes
set pptp disabled=yes

/ip route
add check-gateway=ping distance=1 gateway=10.0.0.217 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.0.1
add check-gateway=ping distance=1 gateway=10.0.0.217
add disabled=yes distance=1 gateway=10.0.0.217

/ip upnp
set allow-disable-external-interface=no

//Ipadres of Cable is obfusicated

P.

Sob · Wed Mar 08, 2017 5:38 pm

It looks like you only read first sentence of my answer. Try the other one too.

I.e. do not use these rules for load balancing:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=ISP1_conn per-connection-classifier=both-addresses:2/0

But instead use the ones I posted, to make server always use one WAN and clients the other WAN.

paulley · Wed Mar 08, 2017 9:30 pm

It looks like you only read first sentence of my answer. Try the other one too.

I.e. do not use these rules for load balancing:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=ISP1_conn per-connection-classifier=both-addresses:2/0
But instead use the ones I posted, to make server always use one WAN and clients the other WAN.

Cannot test it right now, because i'm off-site and disconnected the high-speed router

thanks for pointing out!

Stupid question..: does the order of the rules make any difference? (because i've played with them

)

P.

Sob · Wed Mar 08, 2017 11:20 pm

Yes, order of rules is very important, because it's how they are processed. You can move some without causing any problems, but not others. For example in mangle table, you need to mark connections first and then mark routing for them. Swap these rules and it won't work. It's always best to understand what rules do, then it's pretty obvious what should be where.

paulley · Thu Mar 09, 2017 11:27 am

Yes, order of rules is very important, because it's how they are processed. You can move some without causing any problems, but not others. For example in mangle table, you need to mark connections first and then mark routing for them. Swap these rules and it won't work. It's always best to understand what rules do, then it's pretty obvious what should be where.

Thank you Very much Sob!

Im getting now the Speed i wanted, but....

The incomming traffic over my public Ip (ISP1) should be NATted to 192.168.1.250, but isnt working when i connect ISP2 ...?

Sob · Thu Mar 09, 2017 11:59 pm

Look closely at these two rules from config you posted:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP2 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP2_conn

You have mixed up interfaces and connections marks.

paulley · Fri Mar 10, 2017 1:02 pm

Look closely at these two rules from config you posted:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP2 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP2_conn
You have mixed up interfaces and connections marks.

Thank you very much for pointing out!

Works like a charm!!
Next time you come to austria, i'll buy you a beer

P

OKNET · Fri Mar 10, 2017 10:58 pm

Yu can eventually "weight" PCC between slow and fast wan :

add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
new-connection-mark=ISP1_conn per-connection-classifier=both-addresses:5/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:5/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:5/2
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:5/3
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local \
new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:5/4

4 to 1 speed ratio in example
(assuming ISP1 is the slow one)

Loadbalance or other option?

Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?

Re: Loadbalance or other option?